Colorado Governor Signs Data Safety Bill into Law

June 7, 2018


In Colorado bill HB 1128 has been initialed into law by Governor John Hickenlooper. This bill increases safety for consumer data in the state of Colorado. The two-party bill, backed by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously approved by the Colorado State Parliament. The bill will become enforceable on September 1, 2018.

From that date companies carrying out business in the state of Colorado must get used to reasonable safety measures and practices to make sure the personal identifying information (PII) of state inhabitants is protected. The bill also reduces the time for making the state attorney general conscious of breaches of PII and sets in places new laws for disposing of PII when it is no longer required.

Private information is categorized as first name and last name or first initial and last name together with any of the following data parts (when not encrypted, redacted, or protected by another way that makes the information illegible):

  • Social Security details
  • Banking account numbers, and credit cards and debit cards with associated safety codes that would allow access/use
  • Electronic mail addresses along with passwords or safety Q&As
  • Biometric data
  • Health insurance policy number
  • Medical information and history
  • Driver’s license number or ID card
  • Passport identifications
  • Military ID information
  • Student Identification number

Protected companies should apply and maintain “Reasonable safety practices and procedures that are suitable to the type of the PII and the type and size of the company and its operations.” Those strategies must safeguard PII from illegal access, alteration, exposure, and destruction. In cases where PII is shared with a third party, the protected body should make sure the third party also has realistic safety measures set up.

A written policy should be developed by all companies that administer the private data of Colorado people covering the removal of that information when it is no longer required. Electronic data and physical documents listing PII should be disposed of securely. The bill means that “shredding, deleting, or otherwise changing the PII in the paper or electronic documents to make the PII illegible or incomprehensible through any means.”